Hospitals are signing on to use Alexa-type devices to access patient data
Getting personal medical data from a disembodied electronic voice might seem like science fiction but is rapidly turning into reality as hospitals turn to devices like Amazon’s Alexa.
Hospital systems across the country are in the initial stages of rolling out voice-activated digital assistants like Alexa to boost patient engagement and simplify the work of doctors and nurses. The voice-activated devices are being used both in hospitals and at home and can help patients check their medications, look up wait times at the ER, and even help doctors pull data from patient electronic health records.
New York-based Northwell Health, for example, is a month away from rolling out a program that will put Alexa devices in every private room and let patients access data from their medical records, Vishwanath Anantraman, Northwell’s chief information architect , told Bloomberg Law.
But privacy attorneys say the voice-activated devices come with significant privacy and security risks that should be addressed before any widespread use in patient settings. Alexa has faced privacy concerns since the device debuted in 2014, including charges that it’s recording conversations even when seemingly turned off.
The federal Health Insurance Portability and Accountability Act requires health-care providers to ensure the privacy and security of sensitive patient information, and any violations can incur heavy financial penalties.
Any hospital looking to use an Alexa-type device needs to make sure it conducts a thorough risk analysis to identify any privacy or security threats the devices could cause, Nesrin Tift, a health-care attorney with Bass, Berry & Sims PLC in Nashville, Tenn., told Bloomberg Law.
Other hospitals using voice-activated devices include Commonwealth Care Alliance in Massachusetts, which is in the midst of a 50-person pilot program using the devices for home-bound patients. Boston-based Commonwealth Care operates four primary care centers and administers two health plans.
And Boston Children’s Hospital launched a KidsMD program through Alexa all the way back in 2016, which lets parents ask Alexa for information on their children’s symptoms.
Northwell patients and their families will be able to ask Alexa for medical updates under the new program, such as what medications the patient is taking and what their overall condition is, Anantraman said. Northwell operates 23 hospitals and over 700 outpatient facilities, primarily in New York City and Long Island.
“This is about improving patient engagement, which should lead to better health outcomes and lower costs,” Ananatraman said.
Patients have to give their consent to have their personal health information accessed through the Alexa device, Anantraman said, and the Alexa devices will keep patient data on Northwell servers instead of in the Amazon cloud.
Another Alexa project coming from Northwell will allow doctors and nurses to ask Alexa for details on a patient’s electronic health record. The so-called Nora project is expected to launch in March, Ananatraman said.
Accessing a patient’s electronic health record via a computer is a lengthy and time-consuming process, Anantraman said, noting that the average EHR has 15,000 data points.
Under Northwell’s Nora project, a nurse could ask for the patient’s last glucose level prior to administering insulin and have the result in seconds, Anantraman said.
Northwell has also integrated information on emergency room and urgent care wait times into Alexa, letting patients at home ask Alexa how long it will take before they can get care,
Commonwealth Care Alliance’s pilot is proactive rather than reactive, John Loughnane, chief of innovation, said.
Rather than force patients to ask their device for information, the devices are programmed to speak to them 15 to 20 times a day.
Patients are consulted before the device is programmed to ensure that it will meet their needs, Loughnane said, which helps foster better patient engagement.
Interactions can include everything from playing music for them, telling them to get up and walk, or take their medication, Loughnane said.
Commonwealth Care health-care providers can remotely access the device and see how their patients respond to simple questions like how they slept or how they feel.
Commonwealth Care partnered with LifePod on the pilot, and uses devices that are similar to Amazon’s Alexa. Boston-based LifePod is a home-based proactive voice service.
Right now the pilot is focused solely on patient data not covered by federal health-care privacy law, but Loughnane said he’d like to explore moving into using protected health information (PHI) in the future. The current pilot is expected to end in April or May.
Using Alexa in a health-care setting poses three main HIPAA compliance challenges, Mark Swearingen, an attorney with Hall Render Killian Health & Lyman in Indianapolis, told Bloomberg Law.
One fundamental challenge is whether companies like Amazon that offer voice-activated assistants will sign business associate agreements (BAAs) with health-care providers that use the devices, Swearingen, the head of Hall Render’s privacy practice, said.
In many health-care uses, the digital assistant will record and store PHI in the course of such tasks as answering questions and scheduling appointments, Swearingen said.
“I’m not aware whether Amazon or the other companies are willing to enter into BAAs for the use of digital assistants, especially given that the company has little to no involvement in choosing the setting where its device will be used and what information will be spoken into it,” Swearingen said.
Until the BAA issue can be resolved, HIPAA-covered entities shouldn’t consider using digital assistants for any functions or commands that will involve PHI, without first obtaining patient authorization.
The other two risks include a device being accessed by someone who’s not authorized to receive patient data, and whether any data transmitted by the device is encrypted, Swearingen said.
HIPAA doesn’t prohibit the use of any technology, device, or application, as long as it complies with HIPAA rules, but does impose significant regulation, Iliana Peters, a health-care attorney with Polsinelli PC, told Bloomberg Law. How HIPAA would apply with voice-activated devices depends on how the devices are configured, especially their access controls and encryption, Peters said. “Any tool that creates, receives, maintains, or transmits electronic protected health information must have the appropriate technical, physical, and administrative safeguards in place to protect the confidentiality, integrity, and availability of the ePHI involved,” Peters said.